Safety Unit and an Improved Safety System Comprising a Number of Safety Units

ABSTRACT

A programmable safety unit for monitoring and controlling safety functions of a hazardous environment, for example an environment including hazardous machines, processes, materials, and so forth and safety equipment associated with the hazardous environment. A safety unit is adapted for external mounting, and includes a programmable safety module and a connection part that are interconnectable enabling mounting/demounting and replacement of the programmable safety module and/or the connection part. The safety unit further includes at least two connections that are programmable as safe inputs and/or outputs for direct connection to at least a number of the safety functions or equipment of the hazardous environment, and for example the machines and/or processes.

TECHNICAL FIELD

The present invention relates to a programmable safety unit forproviding, maintaining and assuring safety in and/or around hazardousmachines, processes or similar having the features of the first part ofclaim 1.

The invention also relates to a safety system having the features of thefirst part of claim 13.

The invention also relates to a method in a programmable safety systemhaving the features of the first part of claim 19.

BACKGROUND

In order to prevent accidents in and around machines and processessafety devices are e.g. needed to detect people coming into an hazardousspace, coming close to a machine in operation, being in an hazardousarea when a machine is put into operation etc. It is also necessary thathazardous machines and processes can be stopped in a safe way before aperson enters the hazardous space, or is in a hazardous space close to amachine, before, but also at occurrence, of an incident etc.

A simple safety system can be based on a fence around a machine and aninterlocked gate. If the interlocked gate is opened all hazardousfunctions must be stopped. An interlocked gate has a safety sensor whichdetects if the gate is opened and it will give a signal to a safety unitwhich stops the hazardous machines and processes. If someone actuallycan enter the space inside the gate and close, it is a requirement thatit is possible to verify that no one is inside the fence before a newstart of the machine can be allowed. This can be done by means of a pushbutton outside the gate placed such that there is a good overview of thehazardous space. This push button is called a reset. After the gate isclosed, a reset has to be done which normally means to press and releasethe push button. The pressing and releasing is supervised by a safetyunit connected to the push button. Sometime it is hard to see from theoutside of the fence that no one is inside the fence. This can be solvedby an extra supervised time reset push button inside the fence in orderto make sure that somebody goes in to check that no one is inside. Thisinside reset starts a clock with a pre-settable time period before lapseof which the space has to be left, the gate closed and the other resetbe pressed.

This is one way to make sure there is no one left inside the fence.

Normally there is also provided an emergency stop push button outsidethe fence. In such a case the complete safety function to stop and toallow restart of the hazardous machines and processes is based on thecontrol and the supervision of the following safety devices: a sensor onthe gate, a reset push button outside the fence, a time reset pushbutton inside the fence and an emergency stop push button.

The control and the supervision are normally based on one or more safetyunits or modules provided inside a control cabinet. The safety units ormodules can have a fixed function as well as a programmable function. Onthe market safety modules are e.g. named safety relays, safety PLCs(safety Programmable Logic Controller), safety control units etc.

To install such a safety system, cables have to be connected from thecontrol cabinet to the sensor, to the reset push button box, to the timereset push button box and to the emergency stop push button box and tothe machines and processes.

Normally a safety system e.g. used within production additionally needsfurther safety functions such as additional supervised gates, supervisedopenings for detecting material for allowed transport into and out ofthe hazardous space, safety devices for setting up the productionprocess and troubleshooting.

The control cabinet with the safety units or modules needs drawings,wires, marking of wires, DIN (Deutsches Institut für Normung)-rails forsafety modules, terminals for cables, cable glands, and requires manualmounting and inspection in order to ensure safety that is provided andupheld according to regulations and standards. The control cabinet iscostly and complicated to make and to make installations and connectionsis time consuming and complicated, and for a production line it is oftenunique and often involves machines from different manufacturers.

EP 1 496 411 shows a safety controller adapted to be mounted on a DINrail in a control cabinet as discussed above.

When it is possible, companies are standardising on some safetyfunctions in order to reduce the costs for the documentation and theinspection. This means, however, that changing from a standard solutionis costly and complicated.

The requirements for the safety functions are described in safetystandards globally and locally. In Europe the requirements are writtenin the Machinery Directive and in the EN standards for safety. Theglobal standards for safety are in many cases in line with the ENstandards. Large numbers of safety devices and safety modules have to becertified according to the safety standards before they can be used inEurope and also in other countries around the world.

If there is to be a combination of safety devices inside a controlcabinet, a verification thereof is required as well. The costs for allthe paperwork and inspection can be very high.

Thus, to summarize, there are several drawbacks associated with todayused safety systems and safety units, such as the requirement as tospecialized or customized control cabinets, high cost and time consumingdocumentation, planning and paperwork, certification and inspections.Other significant drawbacks consist in the large number of cables thatare needed, and, in addition, the large number of wires inside thecables, which is very disadvantageous for installation and replacementpurposes, the connection of each wire also needing to be verified, forpractical reasons, and not least for reasons of trouble shooting. Stillfurther, installation is complicated and time consuming, maintenancecosts are high, and maintenance as such is complicated.

In addition, it is, among other things for the reasons given above, verycomplicated and time consuming to perform modifications, adaptations andalterations in/to such a known safety system, which means that, inpractice, known systems have a limited flexibility.

SUMMARY

It is therefore an object of the present invention to provide aprogrammable safety unit as initially referred to through which one ormore of the above-mentioned problems can be overcome.

It is particularly an object to provide a programmable safety unit whichis easy to install, use and operate.

It is further a particular object to provide a programmable safety unitwhich is easy to maintain and which enables easy and straightforwardmodifications and improvements of safety functions.

It is also an object to provide a programmable safety unit through whichpaper work, documentation and inspection can be facilitated and reducedand that the costs associated therewith can be reduced.

It is also an object to provide a programmable safety unit which enablesand facilitates installation, modification and upgrading in a fast andreliable manner and which allows for fulfilment of high and reliablesafety functions.

It is a particular object to provide a programmable safety unit throughwhich the number of cables, and/or the number of wires in each cable canbe reduced while providing any required safety functions.

A most particular object is to provide a programmable safety unit whichallows for a high flexibility as far as safety installations areconcerned, which facilitates inspection and reduces the need of manualinspections.

Still further it is an object to provide a safety module through whichthe requirements as to customization for each particular hazardousenvironment are reduced as compared to for known safety units.

Therefore a programmable safety unit as initially referred to isprovided which has the characterizing features of claim 1.

Still further it is an object to provide a safety system as initiallyreferred to through which one or more of the above mentioned problemscan be solved.

Therefore a safety system as initially referred to is provided which hasthe characterizing features of claim 13.

Further yet it is an object to provide a method in a safety systemthrough which one or more of the above mentioned problems can be solved.

Therefore a method in a programmable safety system as initially referredis provided which has the characterizing features of claim 19.

Advantageous embodiments are given by the respective appended dependentclaims.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will in the following be further described in anon-limiting manner, and with reference to the accompanying drawings, inwhich:

FIG. 1 schematically illustrates a safety system according to the stateof the art,

FIG. 2 schematically illustrates a safety unit according to a firstembodiment of the present invention,

FIG. 3 schematically illustrates a safety unit according to a secondembodiment of the present invention,

FIG. 4 schematically illustrates a safety unit, which is wireless,according to a third embodiment of the invention,

FIG. 4A is a schematic block diagram of a wireless safety unit,

FIG. 5A is a schematic illustration of a safety unit interconnectionmeans comprising a screw,

FIG. 5B is a view from above of the screw in FIG. 5A,

FIG. 5C is another schematic illustration of a safety unitinterconnection means comprising a screw,

FIG. 5D illustrates an embodiment of a safety unit with connectioncables and optionally connectable to another safety unit,

FIG. 5E is a view in perspective of an embodiment with four safety unitswith connection cables mounted on a fencing,

FIG. 5F is a front view of the embodiment shown in FIG. 5E with foursafety units with connection cables mounted on a fencing,

FIG. 5G is a view in perspective showing a number of safety units as inFIG. 5E,

FIG. 6A is a simplified view in cross-section of two interconnectedsafety units according to one embodiment of the invention,

FIG. 6B is a view similar to that of FIG. 6A before mounting,

FIG. 6C is a simplified view in perspective of the two interconnectedsafety units of FIG. 6A,

FIG. 7 is a very schematic block diagram of a number of communicatingprogrammable safety units,

FIG. 8 is a very schematic block diagram of a number of programmablesafety units which are communicating wirelessly and having hardwiredconnections to machines, emergency stops etc.,

FIG. 9 schematically illustrates a safety system according to oneembodiment of the invention,

FIG. 10 schematically illustrates a safety system according to anotherembodiment of the invention,

FIG. 11 schematically illustrates a safety system according to stillanother embodiment of the invention,

FIG. 12 schematically illustrates a safety system according to anembodiment of the invention wherein a safety unit further is connectedvia Wi-Fi to a portable wireless device,

FIG. 13A schematically illustrates a connection part of a safetyfunction control module, a safety unit, from the inside according to oneembodiment of the invention,

FIG. 13B schematically illustrates a safety module part of a safetyfunction control module, a safety unit, from the inside forinterconnection with the connection part of FIG. 13A,

FIG. 14A is a schematic view in cross-section illustrating theinterconnected safety function module parts of FIGS. 13A,13B, and

FIG. 14B shows more in detail section A as indicated in FIG. 14A.

DETAILED DESCRIPTION

FIG. 1 is a schematic block diagram showing a safety system 1010according to the state of the art. FIG. 1 illustrates hazardous machinesand/or processes 6 ₀, a hazardous space 7 ₀, enclosures 5 ₀, aninterlocked gate 11 ₀ and safety sensors 41 ₀, 42 ₀ for detecting theopening state of a gate, i.e. if it is opened or closed. It alsodiscloses a push button box 20 with emergency stop and reset and a timereset 42 ₀. As discussed in the background section, a control cabinet 8₀ is provided which comprises a number of safety modules and terminals.As can be seen in FIG. 1, all units, safety sensors, time reset,hazardous machines, push button box etc. are connected to the controlcabinet 8 ₀ via cables 9 ₀.

FIG. 2 shows a safety unit 10, also called a safety function controlmodule or a safety box 10, comprising a connection part 30 and a safetymodule part 20. In the shown embodiment the safety module part 20 andthe connection part 30 are electrically interconnected by means of aterminal 21 providing all connections. It should be clear thatalternatively wires can be used instead of a terminal, cf e.g. FIG. 3.The safety module part 20 comprises a programmable module and here alsocomprises e.g. two connections 211,212. The connection part 30preferably comprises a number of further connection possibilities311,312 e.g. for safety devices, other safety units and machines and/orprocesses (not shown in FIG. 2). The connection part 30 (and/or thesafety module part 20) further may comprise a number of push buttons301.

The safety module part 20 and the connection part 30 mounted togetherform a safety unit 10 fulfilling safety standards for safety functions.The circuitry is preferably designed according to safety standards suchas for example EN (European standard) ISO 13849-1 Performance level d,category 3 and MTTF high or low. This means in this case two redundantsafety circuits with two processors. The inputs and outputs are designedto detect failures in connections such as short circuits and wrongconnections. Some or all I/O: s (inputs/outputs) can be selected assafety inputs or safety outputs and they are controlled by bothprocessors. Some outputs have relay contacts. The power supply isnormally 9-30V DC voltage, or a battery, here power is supplied to thesafety module 20; in other embodiments the power supply may be providedat the connection part, see e.g. FIG. 3. In advantageous embodiments oneand the same safety unit can be used with 12V DC as well as with 24V DC.

The safety module part and the connecting part are mechanicallyinterconnected or mounted together e.g. by means of an interconnectingarrangement comprising flanges or by means of an interconnectingarrangement comprising a sealing element and a protruding element or rimoutside which interconnecting screws are provided (see e.g. FIGS.13A,13B,14A,14B) to form an encapsulated safety unit 10 fulfilling orexceeding the enclosure demands for the installation concerningprotection against dust and water. Normally IP (International Protectionrating) 54 is required in the industry but also higher demands such asIP 67 to 69 could be demanded. FIGS. 13A,13B as referred to above showan interconnecting arrangement comprising a sealing arrangement allowingthe interconnection of the safety module part and the connection part ofthe safety function control module (safety unit) allowing fulfilment ofthe relevant enclosure demands. In alternative embodiments flanges canbe used instead, or additionally, to ensure fulfilment of applicableenclosure demands. Many different embodiments are possible.

Since the interconnection of the module part and the connection part andall connections and bushings are adapted to fulfil applicable enclosuredemands, the safety unit 10 can be used for external mounting. Allsignals are handled in the safety unit and all electrical connectionsare provided in the safety unit.

Further, according to the invention, the complete safety function for agate is included in the safety unit 10. A sensor for a gate and a timereset push button is connected with cables to the safety unit 10. Areset and emergency stop push button 301 is mounted directly on theconnection part 30 of the safety unit 10 as referred to above. Themachine(s) and/or the process(es) are connected directly to the safetyunit 10. This limits all the extra cabling required in state of the artsystems for any control cabinet, which hence is not needed. All signalhandling is made in the safety unit 10 which reduces the number of wiresin the cables. According to the invention, the safety function iscertified beforehand for the application and no extra description isneeded. Further, according to the invention, the paperwork for thedocumentation of the safety function is done beforehand and can be usedfor a machinery documentation. The user only has to verify that heeither has connected all the wires to the right terminals or placed theright connectors to the right connection plugs. A safety unit, i.e. asafety function control module, 10 according to the present inventioncan be used on any safety system on the market which has safety stopinputs for a machine, a production line or a process. The safety unit 10is not dependent on special safety devices or brands of safety devices.

If for example more stop outputs are needed than those available on asafety unit 10, a further safety unit 10 just needs to be added withoutput expansion functions. Alternatively, or additionally, if moreinputs with the same function are to be connected, an input expansionsafety unit just needs to be added by means of interconnecting meansarranged such that required enclosure demands are met. The safety unit10 (the safety module 20) is programmable by the supplier, which meansthat the number of safety functions is in principle unlimited. Thesoftware program(s) is/are installed either via a computer or through amemory card inside the safety module 20.

FIG. 3 shows an alternative embodiment of a safety unit 10A.

The safety unit 10A is similar to the safety unit 10 of FIG. 2 exceptfor the voltage supply by means of a 9-30V DC voltage supply or abattery being connected to the safety module 20A, and there being noterminal for the connections between the safety module part 20A and theconnection part 30A, but instead a number of wires 21A. It should beclear that there could alternatively have been a terminal, or that thepower supply could have been provided to the connection part; there isno dependence between the features of power supply and whether this isprovided to the connection part or the safety module part, and theprovisioning of a terminal or wire connections. The safety unit 10A willnot be further described, since the other features and the function havealready been discussed with reference to FIG. 2, and like elements bearthe same reference numerals but provided with an index “A”.

Through a safety unit as described with reference to FIGS. 2,3 thecontrol cabinet of state of the art devices is rendered superfluous. Inaddition, paper work, documentation and inspection costs are reduced.Also, which is extremely advantageous, performing modifications andimprovements of a safety system in which safety units according to theinvention are used, is considerably facilitated and costs thereforeconsiderably reduced.

Through such a safety unit also the number of cables, as well as thenumber of wires in a cable, can be reduced to a large extent, which isextremely advantageous from, among other things, an installation pointof view, a maintenance point of view, for trouble shooting, and alsosaves a lot of costs.

A particular advantage consists in the possibility of certification ofthe safety units comprising complete safety functions, i.e.certification can be done on beforehand, upon manufacture.

Further, since the safety units are made in external boxes for directconnection of safety devices, push buttons, machines and processes costsand labour can be saved. Also, since the external safety units compriseconnectors for standard cables it is only needed to verify that thecables are connected between the right connectors instead of verifyingevery separate wire in a cable. This also reduces the maintenance costsas the safety units are easy to exchange.

FIG. 4 shows an embodiment of a safety unit 10B. Similar elements bearthe same reference numerals as in FIGS. 2,3 but indexed “B” and theywill not be further discussed herein. The same variations are alsopossible for the safety unit 10B. The safety unit 10B supports wirelesscommunication WL.

In the area of safety within industry or similar there has for a longtime been a need for safe wireless control in order to be able torealize safety solutions for equipment, machines, processes etc., andalso for mobile equipment, in order to facilitate and at least to someextent remove the need for complicated and costly cable drawing and toavoid production stops and disturbances due to cable wear. It is knownto use bus systems for communication via a wireless link, but they aresensitive to disturbances and the reaction times are often too long.Some known systems use available standardized systems such as Bluetooth,but also then the reaction time is often too long among other things dueto the multitude of applications to be handled by Bluetooth.

Wireless control and communication systems implemented in known systemsused within the crane industry often comprise a transmitting unit and areceiving unit. As far as safety is concerned, a reaction time of 500 msis accepted for an emergency stop. Within e.g. manufacturing orproduction industry, where the safety distances often are much shorter,the normally required reaction times are 100 ms, in some instancesreaction times as short as below 20 ms are required.

For safety systems within production industry they often have to be setup and involve several machines and/or processes, and a plurality ofsafety arrangements need to communicate in both directions. If onemachine is stopped by a safety device or system, it is very likely thatalso other machines or processes need to be stopped as well, anddifferent safety measures need to be communicated in both directions.This may become very complex and therefore programmable safety systemsare often used. As also referred to above, such programmable systemsinvolve high requirements on the programmer and on the system, and ontesting and verification. Often the systems have to be checked bycertified instances in order for the production system being approvedfor taking into operation.

Through safety units according to the inventive concept, as alsodiscussed above with reference to non-wireless safety units, certifiedsafety functions can be provided without requiring a new certificationof an entire system.

The wireless safety unit 10B implements a communication protocol adaptedfor safety control and communication, and comprises short messages witha frequency which is as high as needed in order to allow the requirednumber of messages to be delivered.

In a simple embodiment there are but two units communicating with eachother, and which in combination can replace a cable. The communicationmay be one-directional or two-directional.

For a production system with a plurality of machines and/or processesand several safety arrangements, several safety units communicating withone another, in both directions, are needed. Each one of the safetyunits also need to be programmed for performing internal functions, i.e.monitor safety arrangements connected to the stop functions of themachine itself. In order to avoid disturbances when wirelesscommunication and control is implemented, a protocol is needed, as alsoreferred to above, according to which transmission takes place in ashort time since it has to be considered that several transmissions maybe lost. The basic idea is that a plurality of accepted packets areneeded in order to assure a safe control. Therefore each safety unit 10B(only one shown in FIG. 4; cf. FIGS. 9-11 for safety systems) transmitsI/O status on all safety units comprised in a system, cf e.g. FIG. 7.This means that the status of each unit is repeated by the other units.The transmitted information also comprises information about the time ofthe transmission. The time of the transmission is then also used fordetermining if the transmission time falls within a predeterminedmaximum time interval of e.g. 100 ms, which in turn indicates a minimumnumber of accepted status information messages of a unit. If the timeperiod between accepted status information messages exceeds thepredetermined maximum time interval, the I/O from a unit is set to “0”.The units using I/O with value “0” will set the output/outputs usingthis value to zero, “0”. Thereby the basic preconditions for safetycircuits, meaning that loss of energy shall induce a safe position, aremet.

The safety unit 10B comprises at least two cable connections which maybe programmed to act as a safe input and/or output, and supportswireless communication with at least one other unit. Preferably thefrequency 2.4 GHz is used for the wireless communication. It shouldhowever be clear that the inventive concept is not limited to thisspecific frequency, but alternatively also other, lower as well ashigher, frequencies can be used. Each unit is given an identificationnumber, and in some embodiments, also a node number; see e.g. FIG. 11below.

The maximum communication time interval referred to above preferably canbe set to different values, and can be changed and set to differentvalues e.g. between 20 ms and 500 ms and also higher or lower. Inadvantageous embodiments the setting of the reaction time is done viasoftware.

Preferably a message sent between any two units is repeated by one ormore other units, providing a reliable communication.

Preferably a safety unit is capable of transmitting several times in 20ms.

In preferred embodiments the safety units are freely programmable.

As also referred to above, each transmitted message comprises a timeindication that can be measured or detected, which provides informationabout when it was transmitted, in order to enable determining if atransmitted message is received within a predetermined allowable timeinterval. Two safety units are able to replace a cable between a safetysensor and a machine control or similar.

Each safety unit 10B (also applicable for the non-wireless safety unitsdiscussed above as well as several or all other features with theexception of the wireless protocol and features associated with wirelesscommunication) may contain a replaceable memory card comprisingprograms, id-number, and optionally also node number, which can be movedto another safety unit if a safety unit e.g. needs to be replaced. Amemory card for a system comprising one or more safety units can bemounted without requiring the user or the operator to perform anyprogramming, i.e. this is done automatically as soon as the memory cardhas been mounted or manually by just pressing a button and power issupplied to the safety unit.

Preferably the encapsulation of each safety unit meets at least therequirements concerning protection against particles or dust and wateringress of e.g. IP 54, in advantageous embodiments e.g. up to IP 69.

In advantageous embodiments two or more safety units, wireless or not,can be interconnected such that the encapsulation class requirements aremet, see e.g. FIGS. 5,6 below. This particularly means that cables/wirescan be connected between the safety units without requiring specificsealing.

FIG. 4A is a schematic block diagram showing a basic design ofcommunication of a wireless safety unit 10B (not indicated) providedwith an indication display 303 with a number of LEDs for indicationpurposes. The safety inputs normally comprise double inputs, resetinputs and supervision inputs for contacts. The safety outputs normallycomprise double outputs, relays etc. Non-safe I/O refer to non-safeinputs/outputs e.g. for information and other non-hazardous functions.The WL protocol is a wireless protocol used for communication with othersafety units and/or information units or modules and/or for safetycommunication.

It should be clear that the features also are applicable in case of anon-wireless safety unit, in which case hard-wired communication isimplemented instead of wireless communication.

FIG. 5A shows a mounting arrangement 60 according to one embodiment forinterconnection of two safety units. It comprises a first portion 61Awith, here, e.g. an M6 threading, and which here has a diameter ofapproximately 16 mm, a second section 61B with a diameter of 12 mm and athird section 61C diameter of 20 mm, which forms an outer edge andpreferably is provided with openings for a pin or similar for allowingtightening of the screw.

FIG. 5B shows the head of the screw 60 with the third section 61Cforming the outer edge. It is provided with an internal through hole oropening 66 for allowing the passage of cables between interconnectedsafety units.

FIG. 5C is a schematic view of a screw 60′ e.g. as in FIGS. 5A,5Bshowing the threading 64; preferably there are no threads close to thehead or third section 61C′, which here is illustrated as having ahexagonal shape for facilitating fastening/removal by means of e.g. atorque wrench. Of course also the third portion or head of the screw 60of FIGS. 5A,5B may have such a shape, or any other appropriate shape forsecuring/removal purposes. Other elements bear the same referencenumerals as in FIGS. 5A,5B and will therefore not be further discussed.Preferably there are no threads close to the head. The screw is mountedinto the short side of one safety unit and secured through the adjacent,joining short wall of the other safety unit to which it is to bemounted. The screw can be accessed through an upper open side of thesafety module where it is to be connected to the connection part. Ofcourse the interconnection of safety units may be achieved in a similarmanner through instead mounting two connection parts to each other bymeans of a screw 60,60′. It is also possible to instead, oradditionally, provide for mounting safety units to one another along thelong sides of the safety units, by correspondingly mounting theconnection parts and/or safety modules using mounting screws asdiscussed above.

FIG. 5D shows a safety unit 10′ comprising a safety module part 20′ anda connection part 30′ with connection cables 211A′ and 311A′respectively provided diagonally or offset in order to provide morespace for the connection cables. The safety unit 10′ comprises anemergency push button 301A and start, stop and reset buttons 55,56,57.

FIG. 5E shows a safety unit 10′ as in FIG. 5D and three further safetyunits 10″,10′″,10″″ mounted on a fencing 80 comprising, here, a 40 mmAl-profile.

FIG. 5F is a front view of the safety units 10′, 10″,10′″,10″″ as inFIG. 5E mounted on a fencing 80 comprising, here, a 40 mm Al-profile.Here safety unit 10″ is provided with four connections, e.g. with M12threadings, for protection or safety devices or machines etc.

FIG. 5G shows three exemplary safety units 10′,10″,10″ substantially asin FIGS. 5D-5F in an unmounted state.

FIG. 6A very schematically illustrates two interconnected safety units10′,10′. The safety units may be of any appropriate kind, e.g.corresponding to the safety units described more in detail withreference to FIGS. 2-3, or of any other appropriate kind.

They are here interconnected by means of an interconnecting arrangement60, e.g. comprising screws of a plastic material, as described withreference to FIGS. 5,5A above.

The safety units are here further interconnected by means of a screw 60connecting the safety units through openings provided in oppositelyarranged side walls 63,63 here having a wall thickness of about 3 mm.The screw 60 and the wall openings here are provided with an M16threading 64. Reference numeral 62 is intended to indicate spaceallowing arranging of a seal between the encapsulations 67,67 of thesafety units 10′,10′.

FIG. 6B shows the safety units in an unmounted state for illustrativepurposes.

FIG. 6C is a view in perspective of the interconnected safety units10′,10′ of FIG. 6A. In FIG. 6C the connection parts 30′,30′ areconnected to the safety module parts 20′,20′ by means of screws 35 or inany appropriate manner. For reasons of simplicity no push buttons etc.are shown in FIGS. 6A-6C, the mere purpose of these Figures being toillustrate how two (or more) safety units can be interconnected by meansof the interconnecting arrangement 60. In this case the bottom parts (orsafety module parts) 20′ are connected to each other. Therefore theshort sides (or short side walls) of adjacent parts to be mountedtogether are made to form 90° with each other (and with the longitudinalsides of the respective part). Such parts (with short sides forming 90°with the long side walls, bottom wall, and upper wall) can be made usingjaws which are movable in order to enable removing the part from aplastic forming tool during manufacture.

The housing in advantageous embodiments has a width of 40 mm sincestandard fencings often have 40 mm profiles as posts.

Also the cables 310′,310″ are only shown very schematically, referenceis in this context made to FIGS. 2-4, and the description relating totight encapsulation above. Also, the power supply is not explicitlyillustrated, reference being made to FIGS. 2-4 and the correspondingsections in the description.

FIG. 7 is a very schematic illustration of communication between aplurality of safety units 10A, 10B, . . . , 10I as also discussed morethoroughly above. In some embodiments all safety units are incommunication with all the other safety units, directly or indirectly.In some embodiments not all safety units communicate directly, butindirectly via one or more other safety units. As an example, if tensafety units are mounted at a respective distance from each other, eachsafety unit e.g. only receives messages from up to two other safetyunits, each at a distance from the other, i.e. safety unit 1 onlyreceives messages from, or listens to, safety unit 2, safety unitreceives messages from safety unit 2, and safety unit 3 receives fromsafety units 4 and 2 etc. This means that safety unit 10 receivesinformation directly from safety unit 1 via safety unit 9, which hasreceived it from safety unit 8, which in turn has received it fromsafety unit 7 etc. This in turn means that the status information ofsafety unit 1 will be at least 9 transmissions “old”, but this isacceptable as long as it is received within the set reaction time.

One (or more) of the safety units may e.g. in addition communicate viaWi-Fi allowing remote monitoring via a portable communication device ora fixed remote device, e.g. a computer, a Laptop, an I-pad, a mobiletelephone etc.

FIG. 8 also is a schematic illustration of a plurality of safety units10B′,10B″,10B′″ . . . , wherein wireless communication is implementedbetween safety units 10B′ and 10B″, and wherein hard-wired communicationis implemented between safety units 10B″ and 10B′ . . . . Hardwiredconnections are also implemented for connections to machines, emergencystops, push-buttons, enabling devices and other safety devices in thisembodiment.

FIG. 9 schematically illustrates a safety system 101 installed forensuring safe conditions of hazardous machines and processes 6, withinan hazardous space 7, and in a very simplified manner also illustratesenclosures 5 and an interlocked gate 15. At, or adjacent, an enclosure 5a safety unit 10 is provided which comprises connections and pushbuttons for emergency stop and reset; see e.g. the safety units 10,10Ain FIGS. 2,3. A safety sensor arrangement 41,42 is provided fordetecting the opening state of the gate 11. The safety unit 10 is incommunication with the safety sensor arrangement 42 by means of ahardwired connection. It also is in communication by means of ahardwired connection with a time reset 43, and by means of furtherhardwired connections with the hazardous machines and processes 6.

The safety unit 10 is supplied with power as discussed e.g. withreference to FIG. 2 (not shown in FIG. 9), for example optionally any of12 or 24V DC, and comprises a voltage converter or transformer fortransforming down the voltage respective voltage to the lower voltage ofthe components, e.g. about 5V or lower.

It is extremely advantageous that 12V as well as 24V can be used.

As also discussed more in detail below, with a safety unit 10, a safetysystem 101 as disclosed herein, any control cabinet can be dispensedwith, and is rendered superfluous.

In particular, advantageous, embodiments, wireless communication isprovided between safety units, wherein each safety unit is assigned aunique number in a system of safety units. All safety units arereceiving and transmitting I/O data from the other safety units in thesystem. The information may e.g. comprise information used in a safetyunit to connect LEDs which provide status information such as anemergency stop button on a particular safety unit is pressed or aparticular gate is opened etc.

The information may be transformed into information in a computerconnected to a safety unit. The information may also be transformed toother wireless systems as for example Wi-Fi and be read in a unitconnected to Wi-Fi, allowing remote monitoring and control, which isextremely advantageous.

The information may also be transformed to a PLC-system through an I/Omodule or a gateway connected to a safety unit.

Thus the information about the status of, or in, the safety system iscommunicated wirelessly.

FIG. 10 schematically illustrates an alternative embodiment of a safetysystem 101 ₁ installed for ensuring safe conditions of hazardousmachines and processes 6 within an hazardous space 7, and in a verysimplified manner also illustrates enclosures 5 and an interlocked gate15 ₁. At, or adjacent, an enclosure 5, a safety unit 10A is providedwhich comprises connections and push buttons for emergency stop andreset; see e.g. the safety unit 10A. A safety sensor arrangement 41 ₁,42₁ is provided for detecting the opening state of the gate 11 ₁. Thesafety unit 10A is in communication with the safety sensor arrangement42 ₁ by means of a hardwired connection. It also is in communication bymeans of a hardwired connection with a time reset 43 ₁, and by means offurther hardwired connections with the hazardous machines and processes6. In this embodiment the safety unit 10A supports wirelesscommunication over a wireless communication network 11 ₁ as discussedearlier in the application with an information panel 121 e.g. comprisinga number of LEDs indicating for example pressed emergency stops, openedgates etc. In FIG. 10, the information panel 121 also is in wirelesscommunication 11 ₂ with another safety unit (not shown).

The safety unit 10A is supplied with power as discussed e.g. withreference to FIG. 2,3 or 4 (not shown in FIG. 10), for example 12 or 24VDC.

FIG. 11 schematically illustrates an alternative embodiment of a safetysystem 101 ₂ installed for ensuring safe conditions of hazardousmachines and processes 6 within a hazardous space 7, and in a verysimplified manner also illustrates enclosures 5 and an interlocked gate15 ₂. At, or adjacent, an enclosure 5, a safety unit 10B is providedwhich comprises connections and push buttons for emergency stop andreset; see e.g. the safety unit 10B in FIG. 4 (or safety units 10,10A ofFIGS. 2,3). A safety sensor arrangement 41 ₂,42 ₂ is provided fordetecting the opening state of the gate 11 ₂. The safety unit 10B is incommunication with the safety sensor arrangement 42 ₂ by means of ahardwired connection. In this embodiment the safety unit 10B supportswireless communication 11 ₄₁ with a time reset 43 ₂, here also forming asafety unit, and also with the hazardous machines and processes 6, herealso comprising or forming a safety unit, the communication 11 ₄₁ iswireless. In this embodiment the safety units 10B, 43 ₂,6,121 alsosupport wireless communication over a wireless communication network1111, as also discussed with reference to FIG. 10, with an informationpanel 121 e.g. comprising a number of LEDs indicating for examplepressed emergency stops, opened gates etc. In FIG. 11, the informationpanel 121 itself forms a safety unit and also is in wirelesscommunication 1121 with another safety unit (not shown). The informationpanel may also, or alternatively, comprise a Wi-Fi unit, safety unit 10Bhence also supporting communication via Wi-Fi, in addition to thewireless communication with the other safety units via the proprietaryprotocol.

The safety unit 10B is supplied with power as discussed e.g. withreference to FIG. 2,3 or 4 (not shown in FIG. 11), for example 12 or 24VDC.

In advantageous embodiments safe wireless communication is providedbetween several safety units. Each safety unit will be assigned a uniquenumber and a node id. In this case different systems can be provided.Two safety units can be used in exchange for a cable. The safety unitscan exchange safety data in both directions. This is particularlyadvantageous when cable installation is difficult or very expensive. Formobile machines the installation of safety devices and provisioning ofreliable safety conditions is extremely facilitated. When several safetyunits are connected to each other wirelessly it is easy to stop movablemachines when an emergency stop push button is pressed or when a gate isopened to an area with mobile machines. This does not only make iteasier, it additionally enables for introduction of new safetyarrangements and for new machine applications.

In order to reduce the costs for the wireless communication standardfrequencies for wireless communication are preferably used. This howeverincreases the risk for disturbances in the communication. Therefore theprotocol is made for short time communication and for fast detection ofrelevant data packages as also discussed earlier in the presentdocument. It is also made possible to have two communication frequenciesat each safety unit. The channels for communication can be eitherautomatically or manually selected depending on the environment. Inorder to be able to use the wireless communication for safetyapplications requiring short reaction times, the communication packagefor each safety unit is made short in order to be able to reach a shortreaction time, preferably down to 20 ms. For some applications thereaction time can be much longer, e.g. up to for example several secondsfor machines when it takes several seconds to reach the machine after agate has been opened.

The number of safety units exchanging the I/O status between each otherwill be limited depending on the required reaction time and on theenvironment. More than one system with safety units can however be usedin the same environment. For the communication between them, the same ordifferent channels can be used depending on the logic selected for thecommunication and the required reaction time.

For a safety system loss and return of power supply shall not causehazardous conditions. Neither shall loss of wireless communication causehazardous conditions. If power supply is lost to e.g. the described gatesafety function, the machines and processes will be stopped. A restartwould require making sure that no one is inside the fence by making thereset procedure.

If wireless communication is lost for a time period exceeding themaximum allowed reaction time (for example 400 ms) between a safety unitinstalled at a gate and a safety unit installed in a machine, this willlead to a stop of the machine. The same reset procedure would berequired at the gate in this case as for loss of power supply.

If the safety unit e.g. is used for a safety function with a lightbarrier, the maximum allowed reaction time would be shorter, for example20 ms in many cases. A light barrier can be passed much quicker than agate and therefore the requirements on the wireless communication wouldbe much higher. Lost communication for more than 20 ms between safetyunits exchanging safety signals would lead to a stop of e.g. themachine. In environments where wireless communication is not reliablefor short reaction times, this can be solved e.g. by using a directconnection between the safety unit, light barrier and the machine. Thesafety function for this would not depend on the wireless communicationas this is done within one safety unit and the safety unit itself wouldhandle a stop within 20 ms if the light barrier is passed by someone. Ifthe safety unit also has an emergency stop connected to other safetyunits through the wireless network, the maximum reaction time for lossof communication could be set up to 500 ms.

Hence, in such embodiments, also the safety communication between safetyunits, between safety units and machines and processes is wireless.

A plurality of further different safety functions can be provided andfacilitated by means of a safety unit, or a safety system, according tothe present invention, of which a few examples comprise providing aconnection box for a portable two-hand device with or without cable, aconnection box for a portable enabling device with or without cable, aconnection box for a portable two hand-device with or without cable,providing bypass connection systems for light barriers and light beamsfor the handling of material into and out of hazardous spaces, providingsafety sectors for loading and unloading of machines with or withoutwire, providing connection boxes for inputs, start, stop, emergency stopand supervision of internal contactors in a machine or process.

FIG. 12 shows an exemplary safety system 101 ₃ comprising a number ofsafety units 10A′,10B′,10C′,10D′,10E′ for safety control of fivehazardous machines 6A′,6B′,6C′,6D′,6E′ enclosed by means of enclosures5A′, . . . , 5E′ enclosing respective hazardous zones 7 provided withgates 15A′, . . . , 15E′, the state (opened/closed) being detected bymeans of safety sensors (not explicitly illustrated in FIG. 12) as morethoroughly discussed with reference to FIGS. 9-11. It is here supposedthat the safety units, the safety sensors, the machines and the timeresets 4A′, . . . , 4E′ are interconnected by means of wires. Inalternative implementations the interconnection can be provided entirelyby means of a wireless network as discussed above e.g. with reference toFIG. 11. In the shown embodiment safety unit 10A′ additionally supportsa Wi-Fi-connection, e.g. allowing remote monitoring and control e.g. viaa mobile device such as an I-pad, a mobile phone, a Laptop etc. Sinceall the safety units are interconnected, wirelessly or via cables,information is provided concerning all current safety conditions for thewhole system, which is extremely advantageous.

With reference to FIG. 13A and FIG. 13B a connection part 30D and amodule part 20D respectively of a safety unit 10D which is substantiallysimilar to the safety units shown in FIGS. 5D,5G are shown. FIGS. 13Aand 13B show one advantageous way of interconnecting or mounting theconnection part 30D and the module part 20D using an interconnectingarrangement such that enclosure demands are fulfilled as discussedabove. FIG. 13A shows the inner side of a connection part 30D, here anupper part. Along the outer edges a groove is provided between anexterior wall section or an outer edge 71D and an interior wall section72D. The groove, along each longer side section, here at three differentlocations, is arranged to form a bend of a substantially semi-circularor U-shape, or any other appropriate shape, or bulge inwards towards theopposite long-side, in order to leave space between the groove and theouter edge or rim of the connection part 30D at such locations for ascrew hole 35D. A sealing member 70D e.g. comprising rubber, e.g.Gore-Tex™, is introduced into the groove, hence being arranged along theouter edges of the connection part 30D, except for where screws are tobe received from the upper side of the connection part 30D forinterconnection with the module part 20D. For illustrative orexemplifying purposes connections 58D,59D are very schematicallyindicated. In alternative embodiments there may also be left spaceoutside the sealing member for holes allowing mounting to a wall orsimilar by means of screws.

FIG. 13B is an inner view of the module part 20D, which is provided witha protruding rim or lip of the same shape and corresponding locationwith respect to the external edges 81D of the module part 20D as thegroove (or seal) with respect to the external edges of the connectionpart 30D, leaving space for, here, six threaded screw holes 36D forreception of mounting screws introduced into the screw holes 35D of theconnection part 30D. Thus, when the connection part 30D and the modulepart 20D are mounted by means of mounting screws screwed into holes 35Dlocated outside the sealing member 70D and received in the threadedscrew holes 36D in the module part 20D, the rim 80D will be pressedagainst the sealing member 70D, ensuring a tight enclosure. 200Dschematically indicates the space for PCB and components.

FIG. 14A is a very schematic cross-sectional view in an enlarged scaletaken though a safety unit comprising a connection part 30D and a modulepart 20D as in FIGS. 13A and 13B in a position for interconnection (anexample of a safety unit is e.g. shown in FIG. 5G). It can be seen howthe sealing member 70D located in a groove will be forced againstprotruding edge 80D, shown in an even larger scale in FIG. 14B showingsection A as indicated in FIG. 14A.

According to the invention a safety unit is hence mechanicallyencapsulated, and, as also discussed earlier, several units areinterconnectable such that relevant encapsulation requirements arefulfilled, allowing different expansion possibilities, and a modularsystem is provided, e.g. adapted for external mounting on a fencing or aprofile, and the functions previously handled by a control cabinet havebeen moved to, and can be handled by the safety unit. All connectionsare handled within the safety unit, and all bushings are sealed.

The invention is of course not limited to units or systems fulfillingthe above mentioned standards or requirements, but is equally applicableto other standards, in addition or solely, or to only some of thesestandards depending on the specific environment and specific needs.

It should also be clear that the invention is not limited to the shownembodiments but that it can be freely varied within the scope of theappended claims.

It should further be clear that also in other aspects the invention canbe varied in many different ways. It is particularly not limited to anygiven dimensions or numbers discussed for any of the constituentelements or parts or functions. They can be smaller as well as larger.It is also not limited to any particular number of safety units in asystem or that are mechanically interconnected. The module part and theconnecting part forming a safety unit may be made of plastic, and rubberseals are preferably used. In alternative embodiments flanges are usedfor ensuring encapsulation.

It is particularly an advantage that a safety unit and a safety systemrespectively is provided which is easy to fabricate, install, which isflexible, control, modify and in particular which satisfies high safetystandards or requirements.

It is also an advantage that a safety unit is provided which comprises aconnection arrangement which facilitates the use with existing devicesof different kinds and which allows interconnection of safety devices,also for expansion purposes.

It is an advantage of the invention that the use of a special,customized, control cabinet is not needed which considerably facilitatesinstallation, makes the safety system less space demanding and saves alot of time at installation, for modification and also means that thecosts for the safety system can be considerably reduced. It is also anadvantage that time and costs associated with paper work, documentationand the inspections can be considerably reduced.

Still another significant advantage is that improvements andmodifications of a safety system can be made very easily and flexibly.Further yet it is an advantage that the number of cables, and, inaddition, the number of wires inside each cable, can be reduced.

1.-19. (canceled)
 20. A programmable safety unit for monitoring andcontrolling safety functions and safety equipment of a hazardousenvironment, comprising: a programmable safety module; a connectionpart; and at least two connections to the safety unit such thatencapsulation requirements of the hazardous environment are fulfilled,the at least two connections being programmable as safe inputs and/oroutputs for direct connection to at least a number of the safetyfunctions and/or safety equipment of the hazardous environment; whereinthe programmable safety module and the connection part interconnect suchthat encapsulation and interconnection is provided that fulfillsinstallation and encapsulation requirements of the hazardousenvironment, and such that the programmable safety module and theconnection part can be mounted, demounted, and replaced; theprogrammable safety unit handles all signals to and from the hazardousenvironment; and the programmable safety unit mounts externally to thehazardous environment.
 21. The programmable safety unit of claim 20,wherein the connection part includes directly mounted one or more resetand stop push buttons such that the encapsulation requirements arefulfilled.
 22. The programmable safety unit of claim 20, wherein theprogrammable safety module is programmed by a supplier of theprogrammable safety module.
 23. The programmable safety unit of claim20, wherein the programmable safety module comprises at least onesoftware program installed via a computer or a replaceable memory card,and at least two electronic processors for redundantly executing the atleast one software program.
 24. The programmable safety unit of claim20, further comprising standard cable connectors for the at least twoconnections, the cable connectors including seals such that theencapsulation requirements are fulfilled, and being configured to supplydirect-current electric voltage.
 25. The programmable safety unit ofclaim 20, wherein the at least two connections encapsulate andinterconnect the programmable safety module and the connection partaccording to standard requirements.
 26. The programmable safety unit ofclaim 20, wherein the programmable safety unit connects to at least oneother programmable safety unit while encapsulation requirements of thehazardous environment are fulfilled, cables between the programmablesafety units are connected without seals, and each programmable safetyunit comprises an external wall perpendicular to a longitudinalextension of the programmable safety unit and a bottom wall.
 27. Theprogrammable safety unit of claim 20, wherein the programmable safetymodule is adapted to handle safety and/or information signallingassociated with safety functions connected to or communicating with thehazardous environment.
 28. The programmable safety unit of claim 20,wherein the programmable safety module wirelessly communicates with atleast one other programmable safety unit or with the equipment in thehazardous environment.
 29. The programmable safety unit of claim 28,wherein the programmable safety module communicates wirelessly accordingto a protocol adapted for short time communication and for fastdetection of data packages.
 30. The programmable safety unit of claim29, wherein lengths of the data packages enable reaction in a reactiontime of substantially 20 milliseconds.
 31. The programmable safety unitof claim 30, wherein the reaction time is adjustable; the programmablesafety module is adapted to detect loss of communication with the atleast one other programmable safety unit or the equipment in thehazardous environment; and when loss of communication is detected, theprogrammable safety unit disables the respective equipment in thehazardous environment.
 32. A programmable safety system, comprising anumber of programmable safety units according to claim 20, eachprogrammable safety unit being connected to respective hazardousenvironment equipment.
 33. The programmable safety system of claim 32,comprising at least two programmable safety units according to claim 28,wherein the programmable safety modules of the at least two programmablesafety units communicate according to a proprietary wireless protocol.34. The programmable safety system of claim 32, wherein at least one ofthe number of programmable safety units wirelessly communicates withexternal equipment for remote monitoring and control.
 35. Theprogrammable safety system of claim 32, wherein each of the number ofprogrammable safety units provides status information and transmissiontime of the status information to at least one other of the number ofprogrammable safety units; and if status information of a programmablesafety unit is not received within a predetermined time interval, allsafety functions monitored and controlled by the number of programmablesafety units of the system are activated.
 36. The programmable safetysystem of claim 32, wherein each of the number of programmable safetyunits are assigned a respective unique identity.
 37. The programmablesafety system of claim 32, wherein each of the number of programmablesafety units communicates with hazardous environment equipment to bemonitored or controlled by cable or wirelessly.
 38. A method in aprogrammable safety system according to claim 32, comprising: assigningeach programmable safety unit of the programmable safety system at leasta unique identity; exchanging status messages between all programmablesafety units of the programmable safety system, the status messagescomprising information about transmission times of the status messages,such that each safety unit receives information about or from all otherprogrammable safety units; in each programmable safety unit, monitoringtime periods between status messages of other programmable safety units;and if a time period between status information messages of any of theother programmable safety units exceeds a predetermined time interval,or if a predetermined number of status messages are not received,stopping all hazardous environment equipment monitored by any theprogrammable safety units.